Auditing requests with null indices (elastic/x-pack-elasticsearch#4016)
Adds null check. relates elastic/x-pack-elasticsearch#3988 Original commit: elastic/x-pack-elasticsearch@64bab62ca6
This commit is contained in:
parent
8d68b03cb6
commit
d31d90d378
|
@ -287,8 +287,8 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void authenticationFailed(String realm, AuthenticationToken token, RestRequest request) {
|
public void authenticationFailed(String realm, AuthenticationToken token, RestRequest request) {
|
||||||
if (events.contains(REALM_AUTHENTICATION_FAILED)
|
if (events.contains(REALM_AUTHENTICATION_FAILED) && filterPolicyPredicate
|
||||||
&& filterPolicyPredicate.test(new AuditEventMetaInfo(Optional.of(token), Optional.of(realm), Optional.empty())) == false) {
|
.test(new AuditEventMetaInfo(Optional.of(token), Optional.of(realm), Optional.empty())) == false) {
|
||||||
if (includeRequestBody) {
|
if (includeRequestBody) {
|
||||||
logger.info("{}[rest] [realm_authentication_failed]\trealm=[{}], {}, principal=[{}], uri=[{}], request_body=[{}]",
|
logger.info("{}[rest] [realm_authentication_failed]\trealm=[{}], {}, principal=[{}], uri=[{}], request_body=[{}]",
|
||||||
localNodeInfo.prefix, realm, hostAttributes(request), token.principal(), request.uri(),
|
localNodeInfo.prefix, realm, hostAttributes(request), token.principal(), request.uri(),
|
||||||
|
@ -514,7 +514,10 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
|
||||||
|
|
||||||
static Optional<String[]> indices(TransportMessage message) {
|
static Optional<String[]> indices(TransportMessage message) {
|
||||||
if (message instanceof IndicesRequest) {
|
if (message instanceof IndicesRequest) {
|
||||||
return Optional.ofNullable(((IndicesRequest) message).indices());
|
final String[] indices = ((IndicesRequest) message).indices();
|
||||||
|
if ((indices != null) && (indices.length != 0)) {
|
||||||
|
return Optional.of(((IndicesRequest) message).indices());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return Optional.empty();
|
return Optional.empty();
|
||||||
}
|
}
|
||||||
|
|
|
@ -48,6 +48,8 @@ import java.util.Map;
|
||||||
|
|
||||||
import static org.hamcrest.Matchers.equalTo;
|
import static org.hamcrest.Matchers.equalTo;
|
||||||
import static org.hamcrest.Matchers.is;
|
import static org.hamcrest.Matchers.is;
|
||||||
|
import static org.hamcrest.Matchers.not;
|
||||||
|
import static org.hamcrest.Matchers.containsString;
|
||||||
import static org.mockito.Mockito.mock;
|
import static org.mockito.Mockito.mock;
|
||||||
import static org.mockito.Mockito.when;
|
import static org.mockito.Mockito.when;
|
||||||
|
|
||||||
|
@ -703,6 +705,59 @@ public class LoggingAuditTrailTests extends ESTestCase {
|
||||||
assertEmptyLog(logger);
|
assertEmptyLog(logger);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public void testRequestsWithoutIndices() throws Exception {
|
||||||
|
final Logger logger = CapturingLogger.newCapturingLogger(Level.INFO);
|
||||||
|
final Settings allEventsSettings = Settings.builder()
|
||||||
|
.put(settings)
|
||||||
|
.put("xpack.security.audit.logfile.events.include", "_all")
|
||||||
|
.build();
|
||||||
|
final LoggingAuditTrail auditTrail = new LoggingAuditTrail(allEventsSettings, clusterService, logger, threadContext);
|
||||||
|
final User user = new User("_username", new String[] { "r1" });
|
||||||
|
final String role = randomAlphaOfLengthBetween(1, 6);
|
||||||
|
final String realm = randomAlphaOfLengthBetween(1, 6);
|
||||||
|
// transport messages without indices
|
||||||
|
final TransportMessage[] messages = new TransportMessage[] { new MockMessage(threadContext),
|
||||||
|
new org.elasticsearch.action.MockIndicesRequest(IndicesOptions.strictExpandOpenAndForbidClosed(), new String[0]),
|
||||||
|
new org.elasticsearch.action.MockIndicesRequest(IndicesOptions.strictExpandOpenAndForbidClosed(), (String[]) null) };
|
||||||
|
final List<String> output = CapturingLogger.output(logger.getName(), Level.INFO);
|
||||||
|
int logEntriesCount = 1;
|
||||||
|
for (final TransportMessage message : messages) {
|
||||||
|
auditTrail.anonymousAccessDenied("_action", message);
|
||||||
|
assertThat(output.size(), is(logEntriesCount++));
|
||||||
|
assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
|
||||||
|
auditTrail.authenticationFailed(new MockToken(), "_action", message);
|
||||||
|
assertThat(output.size(), is(logEntriesCount++));
|
||||||
|
assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
|
||||||
|
auditTrail.authenticationFailed("_action", message);
|
||||||
|
assertThat(output.size(), is(logEntriesCount++));
|
||||||
|
assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
|
||||||
|
auditTrail.authenticationFailed(realm, new MockToken(), "_action", message);
|
||||||
|
assertThat(output.size(), is(logEntriesCount++));
|
||||||
|
assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
|
||||||
|
auditTrail.accessGranted(user, "_action", message, new String[] { role });
|
||||||
|
assertThat(output.size(), is(logEntriesCount++));
|
||||||
|
assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
|
||||||
|
auditTrail.accessDenied(user, "_action", message, new String[] { role });
|
||||||
|
assertThat(output.size(), is(logEntriesCount++));
|
||||||
|
assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
|
||||||
|
auditTrail.tamperedRequest("_action", message);
|
||||||
|
assertThat(output.size(), is(logEntriesCount++));
|
||||||
|
assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
|
||||||
|
auditTrail.tamperedRequest(user, "_action", message);
|
||||||
|
assertThat(output.size(), is(logEntriesCount++));
|
||||||
|
assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
|
||||||
|
auditTrail.runAsGranted(user, "_action", message, new String[] { role });
|
||||||
|
assertThat(output.size(), is(logEntriesCount++));
|
||||||
|
assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
|
||||||
|
auditTrail.runAsDenied(user, "_action", message, new String[] { role });
|
||||||
|
assertThat(output.size(), is(logEntriesCount++));
|
||||||
|
assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
|
||||||
|
auditTrail.authenticationSuccess(realm, user, "_action", message);
|
||||||
|
assertThat(output.size(), is(logEntriesCount++));
|
||||||
|
assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
private void assertMsg(Logger logger, Level level, String message) {
|
private void assertMsg(Logger logger, Level level, String message) {
|
||||||
final List<String> output = CapturingLogger.output(logger.getName(), level);
|
final List<String> output = CapturingLogger.output(logger.getName(), level);
|
||||||
assertThat(output.size(), is(1));
|
assertThat(output.size(), is(1));
|
||||||
|
|
Loading…
Reference in New Issue